From da4842eb7b9e7c78d14fdd2731d59855a4ec2a81 Mon Sep 17 00:00:00 2001
From: Zankaria <zankaria.auxa@skiff.com>
Date: Tue, 30 Apr 2024 11:31:06 +0200
Subject: [PATCH] auth.php: disallow unencrypted logins by default

---
 composer.json         |  1 +
 inc/config.php        |  5 +++++
 inc/functions/net.php | 10 ++++++++++
 inc/mod/auth.php      |  7 +++++--
 inc/mod/pages.php     |  9 +++++++--
 5 files changed, 28 insertions(+), 4 deletions(-)
 create mode 100644 inc/functions/net.php

diff --git a/composer.json b/composer.json
index b06ff6a1..e5b73d9b 100644
--- a/composer.json
+++ b/composer.json
@@ -33,6 +33,7 @@
             "inc/lock.php",
             "inc/queue.php",
             "inc/functions.php",
+            "inc/functions/net.php",
             "inc/driver/http-driver.php",
             "inc/driver/log-driver.php",
             "inc/service/captcha-queries.php"
diff --git a/inc/config.php b/inc/config.php
index 03e6044e..2b271ee2 100644
--- a/inc/config.php
+++ b/inc/config.php
@@ -194,6 +194,10 @@
 	// Whether or not you can access the mod cookie in JavaScript. Most users should not need to change this.
 	$config['cookies']['httponly'] = true;
 
+	// Do not allow logins via unencrypted HTTP. Should only be changed in testing environments or if you connect to a
+	// load-balancer without encryption.
+	$config['cookies']['secure_login_only'] = true;
+
 	// Used to salt secure tripcodes ("##trip") and poster IDs (if enabled).
 	$config['secure_trip_salt'] = ')(*&^%$#@!98765432190zyxwvutsrqponmlkjihgfedcba';
 
@@ -1252,6 +1256,7 @@
 	// Moderator errors
 	$config['error']['toomanyunban']	= _('You are only allowed to unban %s users at a time. You tried to unban %u users.');
 	$config['error']['invalid']		= _('Invalid username and/or password.');
+	$config['error']['insecure']		= _('Login on insecure connections is disabled.');
 	$config['error']['notamod']		= _('You are not a mod…');
 	$config['error']['invalidafter']	= _('Invalid username and/or password. Your user may have been deleted or changed.');
 	$config['error']['malformed']		= _('Invalid/malformed cookies.');
diff --git a/inc/functions/net.php b/inc/functions/net.php
new file mode 100644
index 00000000..ab08c3cb
--- /dev/null
+++ b/inc/functions/net.php
@@ -0,0 +1,10 @@
+<?php
+namespace Vichan\Functions\Net;
+
+
+/**
+ * @return bool Returns if the client-server connection is an encrypted one (HTTPS).
+ */
+function is_connection_secure(): bool {
+	return !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off';
+}
diff --git a/inc/mod/auth.php b/inc/mod/auth.php
index 4cc20df5..e299fdb5 100644
--- a/inc/mod/auth.php
+++ b/inc/mod/auth.php
@@ -4,6 +4,8 @@
  *  Copyright (c) 2010-2013 Tinyboard Development Group
  */
 
+use Vichan\Functions\Net;
+
 defined('TINYBOARD') or exit;
 
 // create a hash/salt pair for validate logins
@@ -118,7 +120,7 @@ function setCookies() {
 		error('setCookies() was called for a non-moderator!');
 	}
 
-	$is_https = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off';
+	$is_https = Net\is_connection_secure();
 	$is_path_jailed = $config['cookies']['jail'];
 	$name = calc_cookie_name($is_https, $is_path_jailed, $config['cookies']['mod']);
 
@@ -229,7 +231,8 @@ function make_secure_link_token($uri) {
 
 function check_login($prompt = false) {
 	global $config, $mod;
-	$is_https = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off';
+
+	$is_https = Net\is_connection_secure();
 	$is_path_jailed = $config['cookies']['jail'];
 	$expected_cookie_name = calc_cookie_name($is_https, $is_path_jailed, $config['cookies']['mod']);
 
diff --git a/inc/mod/pages.php b/inc/mod/pages.php
index 1e803424..fc81531e 100644
--- a/inc/mod/pages.php
+++ b/inc/mod/pages.php
@@ -4,8 +4,11 @@
  *  Copyright (c) 2010-2013 Tinyboard Development Group
  */
 
+use Vichan\Functions\Net;
+
 defined('TINYBOARD') or exit;
 
+
 function mod_page($title, $template, $args, $subtitle = false) {
 	global $config, $mod;
 
@@ -29,9 +32,11 @@ function mod_page($title, $template, $args, $subtitle = false) {
 function mod_login($redirect = false) {
 	global $config;
 
-	$args = array();
+	$args = [];
 
-	if (isset($_POST['login'])) {
+	if ($config['cookies']['secure_login_only'] && !Net\is_connection_secure()) {
+		$args['error'] = $config['error']['insecure'];
+	} elseif (isset($_POST['login'])) {
 		// Check if inputs are set and not empty
 		if (!isset($_POST['username'], $_POST['password']) || $_POST['username'] == '' || $_POST['password'] == '') {
 			$args['error'] = $config['error']['invalid'];